PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

ID: S0378
Type: TOOL
Platforms: Windows, Linux, macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation PoshC2 contains a number of modules, such as Invoke-RunAs and Invoke-TokenManipulation, for manipulating tokens.[1]
Enterprise T1087 Account Discovery PoshC2 can enumerate local and domain user account information.[1]
Enterprise T1119 Automated Collection PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1]
Enterprise T1110 Brute Force PoshC2 has modules for brute forcing local administrator and AD user accounts.[1]
Enterprise T1088 Bypass User Account Control PoshC2 can utilize multiple methods to bypass UAC.[1]
Enterprise T1090 Connection Proxy PoshC2 contains modules that allow for use of proxies in command and control.[1]
Enterprise T1003 Credential Dumping PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1]
Enterprise T1081 Credentials in Files PoshC2 contains modules for searching for passwords in local and remote files.[1]
Enterprise T1002 Data Compressed PoshC2 contains a module for compressing data using ZIP.[1]
Enterprise T1482 Domain Trust Discovery PoshC2 has modules for enumerating domain trusts.[1]
Enterprise T1068 Exploitation for Privilege Escalation PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1]
Enterprise T1210 Exploitation of Remote Services PoshC2 contains a module for exploiting SMB via EternalBlue.[1]
Enterprise T1083 File and Directory Discovery PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1]
Enterprise T1056 Input Capture PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1]
Enterprise T1171 LLMNR/NBT-NS Poisoning and Relay PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1]
Enterprise T1046 Network Service Scanning PoshC2 can perform port scans from an infected host.[1]
Enterprise T1040 Network Sniffing PoshC2 contains a module for taking packet captures on compromised hosts.[1]
Enterprise T1075 Pass the Hash PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1]
Enterprise T1201 Password Policy Discovery PoshC2 can use Get-PassPol to enumerate the domain password policy.[1]
Enterprise T1069 Permission Groups Discovery PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.[1]
Enterprise T1055 Process Injection PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.[1]
Enterprise T1035 Service Execution PoshC2 contains an implementation of PsExec for remote execution.[1]
Enterprise T1071 Standard Application Layer Protocol PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1]
Enterprise T1082 System Information Discovery PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[1]
Enterprise T1016 System Network Configuration Discovery PoshC2 can enumerate network adapter information.[1]
Enterprise T1049 System Network Connections Discovery PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1]
Enterprise T1007 System Service Discovery PoshC2 can enumerate service and service permission information.[1]
Enterprise T1047 Windows Management Instrumentation PoshC2 has a number of modules that use WMI to execute tasks.[1]
Enterprise T1084 Windows Management Instrumentation Event Subscription PoshC2 has the ability to persist on a system using WMI events.[1]


Groups that use this software: